WIP: Move krb5 realm to pvv.local, make sane ldap structure

base/default.nix

@@ -1,7 +1,6 @@
 {
   pkgs,
   lib,
-  inputs,
   fp,
   ...
 }:
@@ -36,7 +35,6 @@
     ./services/prometheus-node-exporter.nix
     ./services/prometheus-systemd-exporter.nix
     ./services/roowho2.nix
-    ./services/scrutiny-collector.nix
     ./services/smartd.nix
     ./services/thermald.nix
     ./services/uptimed.nix
@@ -44,8 +42,6 @@
     ./services/userdbd.nix
   ];
 
-  system.nixos.tags = lib.optionals (inputs.self.sourceInfo ? dirtyRev) [ "dirty" ];
-
   boot.tmp.cleanOnBoot = lib.mkDefault true;
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 

base/networking.nix

@@ -3,6 +3,10 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

base/services/polkit.nix

@@ -6,12 +6,9 @@ in
   security.polkit.enable = true;
 
   environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
-    polkit.addRule(function(action, subject) {
-       if (
-           action.id.startsWith("org.freedesktop.systemd1.") &&
-           subject.isInGroup("wheel")
-       ) {
-           return polkit.Result.AUTH_SELF_KEEP;
+    polkit.addAdminRule(function(action, subject) {
+        if(subject.isInGroup("wheel")) {
+            return ["unix-user:"+subject.user];
         }
     });
   '';

base/services/scrutiny-collector.nix

@@ -1,11 +0,0 @@
-{ config, ... }:
-{
-  services.scrutiny.collector = {
-    enable = !config.services.qemuGuest.enable;
-    settings = {
-      version = 1;
-      host.id = config.networking.hostName;
-      api.endpoint = "https://scrutiny.pvv.ntnu.no/";
-    };
-  };
-}

flake.lock

@@ -1,27 +1,5 @@
 {
   "nodes": {
-    "bro": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1779629827,
-        "narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
-        "ref": "main",
-        "rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
-        "revCount": 3,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
-      },
-      "original": {
-        "ref": "main",
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
-      }
-    },
     "crane": {
       "locked": {
         "lastModified": 1776635034,
@@ -123,7 +101,7 @@
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
         "lastModified": 1777019032,
@@ -187,7 +165,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_2"
       },
       "locked": {
         "lastModified": 1767906976,
@@ -316,11 +294,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779774845,
-        "narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=",
+        "lastModified": 1764869785,
+        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
         "ref": "main",
-        "rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0",
-        "revCount": 29,
+        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "revCount": 23,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },
@@ -337,11 +315,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1779903528,
-        "narHash": "sha256-4rajaHeBeQ4PjbNSpslE9G3A5mZM1J/64ls+VoufWZo=",
+        "lastModified": 1778960428,
+        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
         "ref": "main",
-        "rev": "bba7413a1c611d4918fbef4d3aa55e465ca3f3fb",
-        "revCount": 585,
+        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
+        "revCount": 583,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -374,7 +352,6 @@
     },
     "root": {
       "inputs": {
-        "bro": "bro",
         "dibbler": "dibbler",
         "disko": "disko",
         "gergle": "gergle",
@@ -400,7 +377,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "rust-overlay": "rust-overlay_4"
+        "rust-overlay": "rust-overlay_3"
       },
       "locked": {
         "lastModified": 1778600367,
@@ -419,27 +396,6 @@
       }
     },
     "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "bro",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1779419951,
-        "narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "greg-ng",
@@ -460,7 +416,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_3": {
+    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "minecraft-heatmap",
@@ -481,7 +437,7 @@
         "type": "github"
       }
     },
-    "rust-overlay_4": {
+    "rust-overlay_3": {
       "inputs": {
         "nixpkgs": [
           "roowho2",

flake.nix

@@ -47,9 +47,6 @@
 
     qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
     qotd.inputs.nixpkgs.follows = "nixpkgs";
-
-    bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
-    bro.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = {
@@ -215,16 +212,10 @@
           ];
           overlays = [inputs.dibbler.overlays.default];
         };
+        dagali = stableNixosConfig "dagali" { };
         shark = stableNixosConfig "shark" {};
         wenche = stableNixosConfig "wenche" {};
-        temmie = stableNixosConfig "temmie" {
-          overlays = [
-            inputs.bro.overlays.default
-          ];
-          modules = [
-            inputs.bro.nixosModules.default
-          ];
-        };
+        temmie = stableNixosConfig "temmie" {};
         gluttony = stableNixosConfig "gluttony" {
           overlays = [
             (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })

hosts/bekkalokk/services/mediawiki/default.nix

@@ -107,8 +107,6 @@ in {
         CodeEditor
         CodeMirror
         DeleteBatch
-        MediawikiMatrixNotifs
-        PdfHandler
         PluggableAuth
         Popups
         Scribunto
@@ -183,17 +181,12 @@ in {
       ];
 
       # Misc program paths
-      $wgFFmpegLocation = '${lib.getExe pkgs.ffmpeg}';
-      $wgExiftool = '${lib.getExe pkgs.exiftool}';
-      $wgExiv2Command = '${lib.getExe pkgs.exiv2}';
+      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
+      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
+      $wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
       # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
-      $wgJpegTran = '${lib.getExe' pkgs.mozjpeg "jpegtran"}';
-      $wgGitBin = '${lib.getExe pkgs.git}';
-      $wgDiff3 = '${lib.getExe' pkgs.diffutils "diff3"}';
-      $wgDiff = '${lib.getExe' pkgs.diffutils "diff"}';
-
-      $wgUseImageMagick = true;
-      $wgImageMagickConvertCommand = '${lib.getExe pkgs.imagemagick}';
+      $wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
+      $wgGitBin = '${pkgs.git}/bin/git';
 
       # Debugging
       $wgShowExceptionDetails = false;
@@ -218,13 +211,6 @@ in {
       # EXT:WikiEditor
       $wgWikiEditorRealtimePreview = true;
 
-      # EXT:PdfHandler
-      $wgPdfProcessor = '${lib.getExe pkgs.ghostscript_headless}';
-      $wgPdfPostProcessor = $wgImageMagickConvertCommand;
-      $wgPdfInfo = '${lib.getExe' pkgs.poppler-utils "pdfinfo"}';
-      $wgPdftoText = '${lib.getExe' pkgs.poppler-utils "pdftotext"}';
-
-      # Override key from hardcoded config in nixpkgs
       $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
     '';
   };

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -56,10 +56,10 @@ in
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";
-      root = pkgs.linkFarm "roundcube-dir" {
-        roundcube = "${cfg.package}";
-      };
-
+      root = pkgs.runCommandLocal "roundcube-dir" { } ''
+        mkdir -p $out
+        ln -s ${cfg.package} $out/roundcube
+      '';
       extraConfig = ''
         location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
         # https://wiki.archlinux.org/title/Roundcube

hosts/bekkalokk/services/website/default.nix

@@ -119,7 +119,6 @@ in {
   services.nginx.virtualHosts."pvv.ntnu.no" = {
     globalRedirect = cfg.domainName;
     redirectCode = 307;
-    kTLS = true;
     forceSSL = true;
     useACMEHost = "www.pvv.ntnu.no";
   };
@@ -127,7 +126,6 @@ in {
   services.nginx.virtualHosts."www.pvv.org" = {
     globalRedirect = cfg.domainName;
     redirectCode = 307;
-    kTLS = true;
     forceSSL = true;
     useACMEHost = "www.pvv.ntnu.no";
   };
@@ -135,13 +133,11 @@ in {
   services.nginx.virtualHosts."pvv.org" = {
     globalRedirect = cfg.domainName;
     redirectCode = 307;
-    kTLS = true;
     forceSSL = true;
     useACMEHost = "www.pvv.ntnu.no";
   };
 
   services.nginx.virtualHosts.${cfg.domainName} = {
-    kTLS = true;
     locations = {
       # Proxy home directories
       "^~ /~" = {

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -37,22 +37,9 @@ in {
   };
 
   systemd.services.pvv-nettsiden-gallery-update = {
-    serviceConfig = {
-      WorkingDirectory = galleryDir;
-      User = config.services.pvv-nettsiden.user;
-      Group = config.services.pvv-nettsiden.group;
+    path = with pkgs; [ imagemagick gnutar gzip ];
 
-      ExecStart = lib.getExe (pkgs.writeShellApplication {
-        name = "pvv-nettsiden-gallery-update-exec-start.sh";
-        runtimeInputs = with pkgs; [
-          coreutils
-          findutils
-          gnused
-          gnutar
-          gzip
-          imagemagick
-        ];
-        text = ''
+    script = ''
       tar ${lib.cli.toCommandLineShellGNU { } {
         extract = true;
         file = "${transferDir}/gallery.tar.gz";
@@ -60,7 +47,7 @@ in {
       }}
 
       # Delete files and directories that exists in the gallery that don't exist in the tarball
-          filesToRemove="$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))"
+      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
       while IFS= read -r fname; do
         rm -f "$fname" ||:
         rm -f ".thumbnails/$fname.png" ||:
@@ -69,7 +56,7 @@ in {
       find . -type d -empty -delete
 
       mkdir -p .thumbnails
-          images="$(find . -type f -not -path './.thumbnails*')"
+      images=$(find . -type f -not -path './.thumbnails*')
 
       while IFS= read -r fname; do
         # Skip this file if an up-to-date thumbnail already exists
@@ -85,7 +72,11 @@ in {
         touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"
     '';
-      });
+
+    serviceConfig = {
+      WorkingDirectory = galleryDir;
+      User = config.services.pvv-nettsiden.user;
+      Group = config.services.pvv-nettsiden.group;
 
       AmbientCapabilities = [ "" ];
       CapabilityBoundingSet = [ "" ];

hosts/bicep/services/git-mirrors/default.nix

@@ -83,7 +83,6 @@ in
   };
 
   services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
-    kTLS = true;
     forceSSL = true;
     enableACME = true;
 

hosts/bicep/services/matrix/hookshot/default.nix

@@ -22,7 +22,6 @@ in
   sops.templates."hookshot-registration.yaml" = {
     owner = config.users.users.matrix-synapse.name;
     group = config.users.groups.keys-matrix-registrations.name;
-    mode = "0440";
     restartUnits = [ "matrix-hookshot.service" ];
     content = ''
       id: matrix-hookshot
@@ -50,59 +49,12 @@ in
 
   systemd.services.matrix-hookshot = {
     serviceConfig = {
-      DynamicUser = true;
       SupplementaryGroups = [
         config.users.groups.keys-matrix-registrations.name
       ];
       LoadCredential = [
         "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
       ];
-
-      RuntimeDirectory = [ "matrix-hookshot/root-mnt" ];
-      RootDirectory = "/run/matrix-hookshot/root-mnt";
-      BindReadOnlyPaths = [
-        config.sops.templates."hookshot-registration.yaml".path
-        builtins.storeDir
-        "/etc"
-        "/run/nscd"
-        "/var/run/nscd"
-      ];
-
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = false; # node needs this
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-        "~@resources"
-      ];
-      UMask = "0077";
     };
   };
 
@@ -194,7 +146,6 @@ in
   };
 
   services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
-    kTLS = true;
     enableACME = true;
     addSSL = true;
     locations."/" = {

hosts/bicep/services/matrix/mjolnir.nix

@@ -54,53 +54,4 @@
     # TODO: Fix upstream module in nixpkgs
     pantalaimon.username = "bot_admin";
   };
-
-  systemd.services.mjolnir.serviceConfig = {
-    DynamicUser = true;
-    RuntimeDirectory = [ "mjolnir/root-mnt" ];
-    RootDirectory = "/run/mjolnir/root-mnt";
-    BindReadOnlyPaths = [
-      config.sops.secrets."matrix/mjolnir/access_token".path
-      builtins.storeDir
-      "/etc"
-      "/run/nscd"
-      "/var/run/nscd"
-    ];
-
-    AmbientCapabilities = "";
-    CapabilityBoundingSet = "";
-    LockPersonality = true;
-    MemoryDenyWriteExecute = false; # node needs this
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateMounts = true;
-    PrivateTmp = true;
-    PrivateUsers = true;
-    ProcSubset = "pid";
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectProc = "invisible";
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictAddressFamilies = [
-      "AF_INET"
-      "AF_INET6"
-      "AF_UNIX"
-    ];
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    SystemCallArchitectures = "native";
-    SystemCallFilter = [
-      "@system-service"
-      "~@privileged"
-      "~@resources"
-    ];
-    UMask = "0077";
-  };
 }

hosts/bicep/services/matrix/out-of-your-element.nix

@@ -56,55 +56,6 @@ in
     enableSynapseIntegration = false;
   };
 
-  systemd.services."matrix-ooye" = {
-    serviceConfig = {
-      RuntimeDirectory = [ "matrix-ooye/root-mnt" ];
-      RootDirectory = "/run/matrix-ooye/root-mnt";
-      BindReadOnlyPaths = [
-        builtins.storeDir
-        "/etc"
-        "/run/nscd"
-        "/var/run/nscd"
-      ];
-
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = false; # node needs this
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      PrivateMounts = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_UNIX"
-      ];
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-        "~@resources"
-      ];
-      UMask = "0077";
-    };
-  };
-
   systemd.services."matrix-synapse" = {
     after = [
       "matrix-ooye-pre-start.service"
@@ -129,7 +80,6 @@ in
   };
 
   services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
-    kTLS = true;
     forceSSL = true;
     enableACME = true;
     locations."/".proxyPass = "http://localhost:${cfg.socket}";

hosts/bicep/services/minecraft-heatmap.nix

@@ -23,28 +23,27 @@ in
   };
 
   systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
-    serviceConfig = {
-      LoadCredential = [
+    serviceConfig.LoadCredential = [
       "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
     ];
-      ExecStartPre = let
+
+    preStart = let
       knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
         innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
         innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
         innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
       '';
-        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
-          archive = true;
-          verbose = true;
-          progress = true;
-          no-owner = true;
-          no-group = true;
-        };
-        sshCommand = ''${pkgs.openssh}/bin/ssh -o UserKnownHostsFile='${knownHostsFile}' -i \"$CREDENTIALS_DIRECTORY\"/sshkey'';
-      in [
-        "${lib.getExe' pkgs.coreutils "mkdir"} -p '${cfg.minecraftLogsDir}'"
-        "${lib.getExe pkgs.rsync} ${rsyncArgs} --rsh=\"${sshCommand}\" root@innovation.pvv.ntnu.no:/ '${cfg.minecraftLogsDir}'/"
-      ];
-    };
+    in ''
+      mkdir -p '${cfg.minecraftLogsDir}'
+      "${lib.getExe pkgs.rsync}" \
+      --archive \
+      --verbose \
+      --progress \
+      --no-owner \
+      --no-group \
+      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
+      root@innovation.pvv.ntnu.no:/ \
+      '${cfg.minecraftLogsDir}'/
+    '';
   };
 }

hosts/dagali/TODO.md

@@ -0,0 +1,78 @@
+# Tracking document for new PVV kerberos auth stack
+
+![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
+
+<div align="center">
+  Bensinstasjon på heimdal
+</div>
+
+### TODO:
+
+- [ ] setup heimdal
+  - [x] ensure running with systemd
+  - [x] compile smbk5pwd (part of openldap)
+  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
+  - [ ] fully initialize PVV.NTNU.NO
+    - [x] `kadmin -l init PVV.NTNU.NO`
+    - [x] add oysteikt/admin@PVV.NTNU.NO principal
+    - [x] add oysteikt@PVV.NTNU.NO principal
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
+      - why is this needed, and where is it documented?
+      - `kadmin check` seems to work under sudo?
+      - (it is included by default, just included as error message
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
+
+- [ ] setup cyrus sasl
+  - [x] ensure running with systemd 
+  - [x] verify GSSAPI support plugin is installed
+    - `nix-shell -p cyrus_sasl --command pluginviewer`
+  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
+  - [x] verify cyrus sasl is able to talk to heimdal
+    - `sudo testsaslauthd -u oysteikt -p <password>`
+  - [ ] provide ldap principal to cyrus sasl through keytab
+
+- [ ] setup openldap
+  - [x] ensure running with systemd
+  - [ ] verify openldap is able to talk to cyrus sasl
+  - [ ] create user for oysteikt in openldap
+  - [ ] authenticate openldap login through sasl
+    - does this require creating an ldap user?
+
+- [ ] fix smbk5pwd integration
+  - [x] add smbk5pwd schemas to openldap
+  - [x] create openldap db for smbk5pwd with overlays
+  - [ ] test to ensure that user sync is working
+  - [ ] test as user source (replace passwd)
+  - [ ] test as PAM auth source
+  - [ ] test as auth source for 3rd party appliation
+
+- [ ] Set up ldap administration panel
+  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
+
+- [ ] Set up kerberos SRV DNS entry
+
+### Information and URLS
+
+- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
+- Use a keytab: https://kb.iu.edu/d/aumh
+- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
+- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
+- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
+- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
+- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -0,0 +1,51 @@
+
+{ config, pkgs, values, lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./services/heimdal.nix
+    #./services/openldap.nix
+    ./services/cyrus-sasl.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # resolved messes up FQDN coming from nscd
+  services.resolved.enable = false;
+
+  networking.hostName = "dagali";
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+  networking.networkmanager.enable = true;
+
+  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    # TODO: consider adding to base.nix
+    nix-output-monitor
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/dagali/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/dagali/services/cyrus-sasl.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  cfg = config.services.saslauthd;
+in
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    config = ''
+      mech_list: gs2-krb5 gssapi
+      keytab: /etc/krb5.keytab
+    '';
+  };
+
+  # TODO: maybe the upstream module should consider doing this?
+  environment.systemPackages = [ cfg.package ];
+}

hosts/dagali/services/heimdal.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+let
+  realm = "PVV.LOCAL";
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    package = pkgs.heimdal.overrideAttrs (prev: {
+      postInstall = prev.postInstall + ''
+        cp include/heim_threads.h $dev/include
+      '';
+    });
+
+    settings = {
+      realms.${realm} = {
+        kdc = [ "dagali.${lib.toLower realm}" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
+      };
+
+      domain_realm = {
+        "${lib.toLower realm}" = realm;
+        ".${lib.toLower realm}" = realm;
+      };
+
+      logging = {
+        # kdc = "CONSOLE";
+        kdc = "SYSLOG:DEBUG:AUTH";
+        admin_server = "SYSLOG:DEBUG:AUTH";
+        default = "SYSLOG:DEBUG:AUTH";
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/lib/heimdal/heimdal";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
+}

hosts/dagali/services/openldap.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+
+    heimdal = config.security.krb5.package;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ [
+        pkgs.perl
+	# NOTE: do not upstream this, it might not work with
+	#       MIT in the same way
+        heimdal
+      ];
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          schemaToLdif = name: path: pkgs.runCommandNoCC name {
+            buildInputs = with pkgs; [ schema2ldif ];
+          } ''
+            schema2ldif "${path}" > $out
+          '';
+
+          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
+          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           "${hdb-ldif}"
+           "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        "cn=module{0}".attrs = {
+          objectClass = [ "olcModuleList" ];
+          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+          olcOverlay = "{0}smbk5pwd";
+          olcSmbK5PwdEnable = [ "krb5" "samba" ];
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=users,${dn}";
+
+          # TODO: replace with proper secret
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=users,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/ildkule/services/monitoring/default.nix

@@ -5,7 +5,6 @@
     ./grafana.nix
     ./loki.nix
     ./prometheus
-    ./scrutiny.nix
     ./uptime-kuma.nix
   ];
 }

hosts/ildkule/services/monitoring/scrutiny.nix

@@ -1,40 +0,0 @@
-{ config, values, ... }:
-let
-  cfg = config.services.scrutiny;
-in
-{
-  services.scrutiny = {
-    enable = true;
-    settings = {
-      web.listen = {
-        host = "127.0.0.1";
-        port = 18293;
-        basepath = "";
-      };
-
-      # notify.urls = [
-      #   "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
-      # ];
-    };
-  };
-
-  services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
-    kTLS = true;
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
-    };
-
-    # TODO: allow website access to the outside world, but restrict input api
-    extraConfig = ''
-      allow ${values.hosts.ildkule.ipv4}/32;
-      allow ${values.hosts.ildkule.ipv6}/128;
-      allow 127.0.0.1/32;
-      allow ::1/128;
-      allow ${values.ipv4-space};
-      allow ${values.ipv6-space};
-      deny all;
-    '';
-  };
-}

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, values, ... }:
+{ config, pkgs, lib, ... }:
 let
   cfg = config.services.uptime-kuma;
   domain = "status.pvv.ntnu.no";
@@ -24,21 +24,4 @@ in {
     fsType = "bind";
     options = [ "bind" ];
   };
-
-  services.rsync-pull-targets = {
-    enable = true;
-    locations.${stateDir} = {
-      user = "root";
-      rrsyncArgs.ro = true;
-      authorizedKeysAttrs = [
-        "restrict"
-        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
-        "no-agent-forwarding"
-        "no-port-forwarding"
-        "no-pty"
-        "no-X11-forwarding"
-      ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
-    };
-  };
 }

hosts/kommode/services/gitea/customization/default.nix

@@ -72,9 +72,9 @@ in
       Type = "oneshot";
       User = cfg.user;
       Group = cfg.group;
-      PrivateNetwork = true;
+    };
 
-      ExecStart = let
+    script = let
       logo-svg = fp /assets/logo_blue_regular.svg;
       logo-png = fp /assets/logo_blue_regular.png;
 
@@ -102,22 +102,20 @@ in
         install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
         sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
       '';
-        install = lib.getExe' pkgs.coreutils "install";
-      in [
-        "${install} -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'"
-        "${install} -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'"
-        "${install} -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'"
-        "${install} -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'"
-        "${install} -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'"
-        "${install} -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'"
+    in ''
+      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
+      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
+      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
+      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
+      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
+      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
 
-        "${install} -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'"
-        "${install} -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'"
-        "${install} -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'"
-        "${install} -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'"
+      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
+      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
+      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
+      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
 
-        "${lib.getExe pkgs.rsync} -a '${customTemplates}/' '${cfg.customDir}/templates/'"
-      ];
-    };
+      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
+    '';
   };
 }

hosts/kommode/services/gitea/default.nix

@@ -139,9 +139,6 @@ in {
         AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
       };
       actions.ENABLED = true;
-      webhook.ALLOWED_HOST_LIST = lib.concatStringsSep "," [
-        "external"
-      ];
     };
 
     dump = {

hosts/kommode/services/gitea/gpg.nix

@@ -38,11 +38,11 @@ in
       Type = "oneshot";
       User = cfg.user;
       PrivateNetwork = true;
-      ExecStart = [
-        "${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-public".path}'"
-        "${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-private".path}'"
-      ];
     };
+    script = ''
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
+      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
+    '';
   };
 
   services.gitea.settings."repository.signing" = {
@@ -50,8 +50,6 @@ in
     SIGNING_NAME = "PVV Git";
     SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
     INITIAL_COMMIT = "always";
-    MERGES = lib.concatStringsSep "," [ "always" ];
-    CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
     WIKI = "always";
   };
 }

hosts/kommode/services/gitea/import-users/default.nix

@@ -11,9 +11,9 @@ in
 
   systemd.services.gitea-import-users = lib.mkIf cfg.enable {
     enable = true;
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
     environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
     serviceConfig = {
-      ExecStartPre = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
         flakeIgnore = [
           "E501" # Line over 80 chars lol

hosts/lupine/configuration.nix

@@ -18,6 +18,9 @@
     anyInterface = true;
   };
 
+  # There are no smart devices
+  services.smartd.enable = false;
+
   # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "25.05";

hosts/temmie/services/userweb/default.nix

@@ -39,7 +39,7 @@ let
     extraConfig = phpOptions;
   };
 
-  perlEnv = (pkgs.perl.withPackages (ps: with ps; [
+  perlEnv = pkgs.perl.withPackages (ps: with ps; [
     pkgs.exiftool
     pkgs.ikiwiki
     pkgs.irssi
@@ -54,14 +54,7 @@ let
     ImageMagick
     JSON
     TemplateToolkit
-  ])).overrideAttrs (prev: {
-    # NOTE: `pkgs.perl.propagatedBuildInputs` don't actually propagate through the
-    #       wrapper derivation created by `withPackages`. This should compensate
-    #       for that.
-    postBuild = prev.postBuild + ''
-      cp -r '${pkgs.perl}/nix-support' "$out"/nix-support
-    '';
-  });
+  ]);
 
   # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
   pythonEnv = pkgs.python3.buildEnv.override {
@@ -74,6 +67,21 @@ let
     ignoreCollisions = true;
   };
 
+  sendmailWrapper = pkgs.writeShellApplication {
+    name = "sendmail";
+    runtimeInputs = [ ];
+    text = ''
+      args=("$@")
+
+      if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
+          # Prepend -fusername to the argument list, so bounces go to the user
+          args=("-f$USERDIR_USER" "''${args[@]}")
+      fi
+
+      exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
+    '';
+  };
+
   # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
   fhsEnv = pkgs.buildEnv {
     name = "userweb-env";
@@ -81,7 +89,7 @@ let
     paths = with pkgs; [
       bash
 
-      config.services.bro.instances.userweb-sendmail.client.package
+      sendmailWrapper
 
       perlEnv
       pythonEnv
@@ -176,21 +184,17 @@ in
     extraModules = [
       "systemd"
       "userdir"
-      {
-        name = "perl";
-        path = let
-          mod_perl = pkgs.symlinkJoin {
-            name = "userweb_modperl_with_custom_perl_env";
-            ignoreCollisions = true;
-            paths = [
-              (pkgs.apacheHttpdPackages.mod_perl.override {
-                apacheHttpd = cfg.package.out;
-              })
-              perlEnv
-            ];
-          };
-        in "${mod_perl}/modules/mod_perl.so";
-      }
+      # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
+      #       incorrect or restrictive assumptions upstream, either nixpkgs or source
+      # {
+      #   name = "perl";
+      #   path = let
+      #     mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
+      #       apacheHttpd = cfg.package.out;
+      #       perl = perlEnv;
+      #     };
+      #   in "${mod_perl}/modules/mod_perl.so";
+      # }
     ];
 
     extraConfig = ''
@@ -199,14 +203,11 @@ in
       ScriptLog ${cfg.logDir}/cgi.log
     '';
 
+    # virtualHosts."userweb.pvv.ntnu.no" = {
     virtualHosts."temmie.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
 
-      serverAliases = [
-        "www2.pvv.ntnu.no"
-      ];
-
       extraConfig = ''
         UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
         UserDir disabled root
@@ -257,14 +258,6 @@ in
   #   ];
   # };
 
-  # NOTE: 54 -> 33, this is the UID/GID we used for www-data on tom in the past.
-  #       Any files accessed by or created by httpd will do so over NFS with this
-  #       UID/GID pair as its credentials.
-  #       This overlaps with the hardcoded `disnix` uid in nixpkgs, but we *probably*
-  #       won't be using that for the foreseeable future.
-  users.users."wwwrun".uid = lib.mkForce 33;
-  users.groups."wwwrun".gid = lib.mkForce 33;
-
   systemd.services.httpd = {
     after = [ "pvv-homedirs.target" ];
     requires = [ "pvv-homedirs.target" ];

hosts/temmie/services/userweb/mail.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
   services.postfix.enable = lib.mkForce false;
 
@@ -9,111 +9,4 @@
       remotes = "mail.pvv.ntnu.no smtp --port=25";
     };
   };
-
-  services.bro = {
-    enable = true;
-
-    instances.userweb-sendmail = {
-      enable = true;
-
-      client = {
-        settings.BRO_FILE_FLAGS = [
-          "-C"
-        ];
-      };
-
-      server = {
-        settings = {
-          executable = let
-            sendmailWrapper = pkgs.writeShellApplication {
-              name = "sendmail";
-              runtimeInputs = [ ];
-              bashOptions = [
-                "errexit"
-                "pipefail"
-              ];
-              text = ''
-                args=("$@")
-
-                if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
-                    # Prepend -fusername to the argument list, so bounces go to the user
-                    args=("-f$USERDIR_USER" "''${args[@]}")
-                fi
-
-                exec '${lib.getExe pkgs.system-sendmail}' -t -i "''${args[@]}"
-              '';
-            };
-          in lib.getExe sendmailWrapper;
-          allowed-env = [ "USERDIR_USER" ];
-        };
-      };
-    };
-  };
-
-  environment.systemPackages = [
-    (config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
-      buildCommand = prev.buildCommand + ''
-        mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
-      '';
-    }))
-  ];
-
-  users.users.nullmailer-user = {
-    enable = true;
-    isSystemUser = true;
-    group = "nullmailer-user";
-  };
-
-  users.groups.nullmailer-user = { };
-
-  systemd.services.bro-userweb-sendmail = {
-    serviceConfig = {
-      User = "nullmailer-user";
-      Group = "nullmailer-user";
-
-      ReadWritePaths = [
-        "/var/spool/nullmailer"
-      ];
-
-      AmbientCapabilities = "";
-      CapabilityBoundingSet = "";
-      NoNewPrivileges = false;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      PrivateUsers = false;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        "AF_UNIX"
-        "AF_INET"
-        "AF_INET6"
-        "AF_NETLINK"
-      ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateMounts = true;
-      ProcSubset = "pid";
-      ProtectProc = "invisible";
-      RemoveIPC = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@resources"
-      ];
-      UMask = "0077";
-    };
-  };
-
-  systemd.services.httpd.serviceConfig = {
-    BindPaths = [ (lib.head config.systemd.sockets.bro-userweb-sendmail.listenStreams) ];
-  };
 }

modules/grzegorz.nix

@@ -16,7 +16,7 @@ in {
   };
 
   systemd.user.services.restart-greg-ng = {
-    serviceConfig.ExecStart = "${lib.getExe' pkgs.systemd "systemctl"} --user restart greg-ng.service";
+    script = "systemctl --user restart greg-ng.service";
     startAt = "*-*-* 06:30:00";
   };
 

modules/matrix-ooye.nix

@@ -171,9 +171,6 @@ in
         requires = [ "matrix-ooye-pre-start.service" ];
         wantedBy = [ "multi-user.target" ];
 
-        startLimitIntervalSec = 5;
-        startLimitBurst = 5;
-
         serviceConfig = {
           ExecStart = lib.getExe config.services.matrix-ooye.package;
           WorkingDirectory = "/var/lib/matrix-ooye";
@@ -185,6 +182,8 @@ in
           #PrivateDevices = true;
           Restart = "on-failure";
           RestartSec = "5s";
+          StartLimitIntervalSec = "5s";
+          StartLimitBurst = "5";
           DynamicUser = true;
         };
       };

packages/mediawiki-extensions/default.nix

@@ -15,13 +15,12 @@ let
   , tracking-branch ? "REL1_45"
   , kebab-name ? kebab-case-name name
   , fetchgit ? pkgs.fetchgit
-  , url ? "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}"
   }:
   {
     ${name} = (fetchgit {
       name = "mediawiki-${kebab-name}-source";
+      url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
       rev = commit;
-      inherit url;
       inherit hash;
     }).overrideAttrs (_: {
       passthru = { inherit name kebab-name tracking-branch; };
@@ -39,23 +38,18 @@ lib.mergeAttrsList [
   })
   (mw-ext {
     name = "CodeMirror";
-    commit = "7ab826eff8c4097589a3199c40c507717af23234";
-    hash = "sha256-kMIyGW9J4OSGSetByel7hEGgxPRJmQ53it6ndpYA/Hs=";
+    commit = "f06dfd40a08562a841ddf11b4ae3444ef06c98c7";
+    hash = "sha256-5zXkBjOwFdoQezkPRJ2AcBZLZEEpGG6FawO2K3KzllI=";
   })
   (mw-ext {
     name = "DeleteBatch";
-    commit = "b5920283cfe78b86a63a1037a81651c58ce764da";
-    hash = "sha256-LwuVX2s5Q4uc6o7hlTjFzRTwvSCwTk74gBpX0HoLDMA=";
-  })
-  (mw-ext {
-    name = "PdfHandler";
-    commit = "dc1a3ca04ac6ec7d7de7ce5355803510508a2575";
-    hash = "sha256-ltAQZtfTMMLRPATA7rclSNW8Yz4ctGc30CxlL3SRBWU=";
+    commit = "9bc75a753efefedfc88c598fb01f18a7e4b61f00";
+    hash = "sha256-1xA758fsvoioN9xuq0hRqZKtPXMQViVLtuRINDtowdk=";
   })
   (mw-ext {
     name = "PluggableAuth";
-    commit = "4b57a23e32d72bd3f74184ff2734aa483a5b0c63";
-    hash = "sha256-ZGw0Wgz0Sg04YDcOzkOGywmfQ6s6Ex17QbjmUDO1D8c=";
+    commit = "64133683b73d8eeea8069fe7ed9cb7237fd5c212";
+    hash = "sha256-wqpfgVLenZp6XC510nrsrbvK1IMEPcWVYq5YuAOt5+c=";
   })
   (mw-ext {
     name = "Popups";
@@ -64,46 +58,38 @@ lib.mergeAttrsList [
   })
   (mw-ext {
     name = "Scribunto";
-    commit = "35c85c96167922adc98e62dd6573789d906dd7d7";
-    hash = "sha256-FEWADJW53cDOlLseM62VL66PENv/jNnwuCMo2Pb02ek=";
+    commit = "cbab0c740e03c8e6184fd647d95e24e0826d20cb";
+    hash = "sha256-vXS3+wrUBVtPsETa19pMvud9sALGt4Ao9mM5rQRbBQc=";
   })
   (mw-ext {
     name = "SimpleSAMLphp";
     kebab-name = "simple-saml-php";
-    commit = "70778bb02f972abbb51e6ba3e0f6545b00dcab00";
-    hash = "sha256-wfmFJKy+ih84qFM9DVcCQFAZBx45s7Hl0lRnseMPhGY=";
+    commit = "fc5ad4501434fe85198f0b1f0087d798efa91f9f";
+    hash = "sha256-se0krTglo1fShJXj38bPLhw65tZC5P54Ywt7oeZrLes=";
   })
   (mw-ext {
     name = "TemplateData";
-    commit = "cca3b3430067f2161bf65de822f70dd38fe07bba";
-    hash = "sha256-OxLwiF8FlWizkpDF9GXYfjehKtrltX8ihiCE+fNJpgw=";
+    commit = "d37b02f6ed194138ac7193a0782bbf6efb9164f8";
+    hash = "sha256-NpzVBzX7qfXkIE+jh33ndooS9GE8ZF3/Jynm22in7IQ=";
   })
   (mw-ext {
     name = "TemplateStyles";
-    commit = "101a159dd0190759a16551a86800144c18b6ff5c";
-    hash = "sha256-IGQQVAx8/76ivHq9b97ec1AlFoqbRl7uhXhwoFimsG4=";
+    commit = "f85614c26a0057a9f418342f89214a04c9de9988";
+    hash = "sha256-XZOtM3iadjE5vavsjkx7kfJNhLZlnnFt1CN+mv6XVHQ=";
   })
   (mw-ext {
     name = "UserMerge";
-    commit = "6c0d105e07538c34bfde989bd26fa1945f8d1b79";
-    hash = "sha256-w058Ihk0I98hIG1tkVJGy1bzbv7XXyUksGexXgCN540=";
+    commit = "2f2432c909a36691ca0002daf6fb304d6c182beb";
+    hash = "sha256-ZP8Tp6u+uJxx3I39YGMmkP0sTnjAQUSaxImAJaRv+Ek=";
   })
   (mw-ext {
     name = "VisualEditor";
-    commit = "8d8c6d7f179a5f799e1fa8cba207d81f58f722d2";
-    hash = "sha256-wbYHXi2vD521EMzUl7ttinG4YdLv/DwYvVUew7dka0g=";
+    commit = "1508d49d0dd71fdc1d18badd23671441b3bc327b";
+    hash = "sha256-VNiCVNrCAImAr1tS9T28KPPzzNsKPz5ELFRIBtng+So=";
   })
   (mw-ext {
     name = "WikiEditor";
-    commit = "f53000f0499858fe74e4f5008b2f5e467d9d9382";
-    hash = "sha256-+HTXZEVCwMD8z6c1kCZA3k686HzNd30pJljzRvf+gMg=";
-  })
-
-  (mw-ext {
-    name = "MediawikiMatrixNotifs";
-    commit = "52d2a46c03f51af7c16ed4d7b3b07b0cbbffb4df";
-    hash = "sha256-AADWunm2Rn2cfxeu9xyYBw5txnaIbJNdR3jxLqgzAy8=";
-    url = "https://git.pvv.ntnu.no/oysteikt/mediawiki-matrix-notifs.git";
-    tracking-branch = "master";
+    commit = "aba5e7c6701877a6b43583709751658fec606d47";
+    hash = "sha256-XmbQy0NXuY3oVGkkgC233kkzfBfx32HDylloGYXU/Nc=";
   })
 ]

values.nix

@@ -36,6 +36,10 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
+    dagali = {
+      ipv4 = pvv-ipv4 185;
+      ipv6 = pvv-ipv6 185;
+    };
     ildkule = {
       ipv4 = "129.241.100.145";
       ipv4_internal = "192.168.1.17";
@@ -55,11 +59,11 @@ in rec {
     };
     brzeczyszczykiewicz = {
       ipv4 = pvv-ipv4 205;
-      ipv6 = pvv-ipv6 205;
+      ipv6 = pvv-ipv6 "1:50"; # Wtf peder why
     };
     georg = {
       ipv4 = pvv-ipv4 204;
-      ipv6 = pvv-ipv6 204;
+      ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
     };
     kommode = {
       ipv4 = pvv-ipv4 223;